Information technology tools and resources at the UW
Here’s our semi-annual newsletter update on recent happenings with the UW Windows Infrastructure.
==== New Capabilities and Improvements ====
* Group Managed Service Accounts are available to Delegated OU customers. This provides a self-service, higher-security option for non-interactive applications, services, and scheduled tasks that run automatically but need a security credential. See http://www.netid.washington.edu/documentation/groupManagedServiceAccounts.aspx.
* Kerberos delegation sensitivity enforced. Protections for certain types of UW NetIDs from applications that use this “logon on behalf of” capability. You can waive those protections for a given NETID user if you need to—just contact us.
* Major integration component refactors:
-UWWI Person Data Agent refactor. Upgraded from Microsoft Identity Lifecycle Manager to Microsoft Forefront Identity Manager. Revised data sources. Added name override source. Simplified.
-UWWI Group Sync Agent refactor. Upgraded from unsupported ActiveMQ technology to Amazon Message Bus.
-UWWI Kiwi Agent version release. NETID user deletion behavior revised.
* We’d like to ask all customers to provide input on what you’d like to see us invest our continual service improvement time in. Toward that end, we’ve created a survey in UserVoice where you have 5 votes to cast on topics which you would like us to prioritize. We’ve seeded the topic list with 17 ideas, but you can also create new topic ideas. We’ll keep the survey open until the end of August. https://ontheroa.uservoice.com/forums/258239-uwwi
* NTLMv1 efforts. During Winter quarter, we analyzed NTLMv1 authentication afresh with the benefit of knowing which applications had problems during last summer’s failed attempt. During Spring quarter, we generated a comprehensive set of resources to help others identify and turn off their dependency on NTLMv1. This summer, we plan to turn off NTLMv1. We’ve been publishing our log data, and directly contacting users we know to be using NTLMv1. Because of the way NTLM works, removing NTLMv1 is a community effort. Many of you have worked hard on this, and you all deserve the university’s thanks for helping do your part to help clean up this old, insecure authentication protocol. Thanks!! J
* Early in Winter quarter, we transitioned the “private” view of the netid.washington.edu DNS zone from campus DNS to the NETID domain controllers. We did this primarily to improve our operational and business continuity stance: with this change we can demote/promote domain controllers without external assistance, with vastly reduced latency. We believe this will be invaluable for changes such as the upcoming domain controller upgrades. Some non-Windows LDAP clients experienced unexpected problems due to this change and there is a known workaround.
* Eric Kool-Brown joined us two years ago, and has become an invaluable part of the UWWI service team. He’s responsible for all the work on two of the major refactors noted above, and has provided leadership with ADFS. Anyone who has interacted with Eric knows he will leave no stone unturned in his quest to provide a quality outcome. We appreciate his contribution and the deep development and engineering background he brings to our service team.
==== Trends ====
* Since January, UWWI has added: 2 delegated OUs (91 total), 0 trusts (57 total), ~1000 computers (8703 total), ~50k users (688k total), -5k groups (97k total).
* UWWI support requests have grown by 7%. 188 UWWI support tickets resolved since January (vs. 176 in prior period).
You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.
==== What’s Next ====
NOTE: This time around, we’re only forecasting for the summer quarter, instead of the next 6 months. Your input on the survey will change what we prioritize Fall quarter.
Our objectives for the 3 months ahead include:
* Turn off NTLMv1 on NETID domain controllers. Assist anyone that needs it.
* Upgrade NETID DCs to Windows Server 2012 R2. Announcements about timing coming soon.
* Move the UWWI Group Sync Agent to an active-active architecture, deploying a second agent on an Azure VM, to improve our business continuity availability characteristic.
* Replace Secondary WINS server
* Analyze survey results, summarize, and make future backlog prioritization based on results.
* Evaluate the new Protected Users group and Authentication Policy Silo capabilities for their appropriateness to university use cases and known security gaps.
* Continue exploration of the feasibility of deploying an AD-integrated Certificate Authority.
* Internal operational improvements: SCVMM refresh, some performance counter collection and other metrics improvements, additional server capacity
Of the 10 forecasted objectives we listed in the last UWWI News, here’s a review on how they turned out:
- 3 were successfully completed: UWWI Group Sync Agent refactor, gMSA release, and ILM replacement.
- 3 were started and continue: UWWI Group Sync Agent has active-active architecture, Protected Users/Authentication Policy Silo, AD-integrated CA explorations
- 2 were deferred: Enable dynamic access control (customer interest?), audit log retention/reporting (waiting to align with emerging monitoring service)
- 1 was externally blocked: Azure project team partnership. This project came to an end, not making as much progress as we hoped. However as an example of the success of that project, 2 weeks ago, UWWI requested the first hybrid VM via the Standard Managed Server service. At this time, UWWI doesn’t have plans to have an Azure VM NETID domain controller, but that may change in the future.
- 1 is ‘will not pursue’: Add new AD site in Spokane (UW network design made pursuing this prohibitive).
==== Your Feedback ====
Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.
The UWWI service has a backlog or roadmap visible to customers at https://wiki.cac.washington.edu/display/UWWI/UWWI+Roadmap where you can see more details about current and some future work items.
UW-IT, UWWI Service Manager